<!DOCTYPE HTML PUBLIC  "-//W3C//DTD HTML 4.01 Transitional//EN"
	"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>OpenBSD Security</title>
<link rev=made href="mailto:www@openbsd.org">
<link rel="alternate" type="application/rss+xml" title="OpenBSD errata (external)" href="http://www.undeadly.org/cgi?action=errata">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="resource-type" content="document">
<meta name="description" content="OpenBSD advisories">
<meta name="keywords" content="openbsd,main">
<meta name="distribution" content="global">
<meta name="copyright" content="This document copyright 1997-2008 by OpenBSD.">
</head>

<body bgcolor="#ffffff" text="#000000" link="#23238E">
<a href="index.html"><img alt="[OpenBSD]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
<p>
<h2><font color="#e00000">Security</font></h2>
<hr>

<table width="100%">
<tr>
<td colspan="2">
<strong>Index</strong>
</td>
</tr>
<tr>
<td valign="top">
<a href="#goals">Security goals of the Project</a>.<br> 
<a href="#disclosure">Full Disclosure policy</a>.<br> 
<a href="#process">Source code auditing process</a>.<br> 
<a href="#default">"Secure by Default"</a>.<br> 
<a href="#crypto">Use of Cryptography</a>.<br> 
<p>
<a href="#watching">Watching changes</a>.<br> 
<a href="#reporting">Reporting security issues</a>.<br> 
<a href="#papers">Further Reading</a><br>
<p>
</td>
<td valign="top">
For security advisories for specific releases, click below:<br>
<a href="#20">2.0</a>,
<a href="#21">2.1</a>,
<a href="#22">2.2</a>,
<a href="#23">2.3</a>,
<a href="#24">2.4</a>,
<a href="#25">2.5</a>,
<a href="#26">2.6</a>,
<a href="#27">2.7</a>,
<a href="#28">2.8</a>,
<a href="#29">2.9</a>,
<a href="#30">3.0</a>,
<a href="#31">3.1</a>,
<a href="#32">3.2</a>,
<a href="#33">3.3</a>,
<a href="#34">3.4</a>,
<a href="#35">3.5</a>,
<a href="#36">3.6</a>,
<a href="#37">3.7</a>,
<a href="#38">3.8</a>,
<a href="#39">3.9</a>,
<a href="#40">4.0</a>,
<a href="#41">4.1</a>,
<a href="#42">4.2</a>,
<a href="#43">4.3</a>.
</td>
</tr>
</table>
<hr>

<a name="goals"></a>
<ul>
<li><h3><font color="#e00000">Goal</font></h3><p>

OpenBSD believes in strong security.  Our aspiration is to be NUMBER
ONE in the industry for security (if we are not already there).  Our
open software development model permits us to take a more
uncompromising view towards increased security than Sun, SGI, IBM, HP,
or other vendors are able to.  We can make changes the vendors would
not make.  Also, since OpenBSD is exported with <a href=crypto.html>
cryptography</a>, we are able to take cryptographic approaches towards
fixing security problems.<p>

<a name="disclosure"></a>
<li><h3><font color="#e00000">Full Disclosure</font></h3><p>

Like many readers of the
<a href="http://online.securityfocus.com/archive/1">
BUGTRAQ mailing list</a>,
we believe in full disclosure of security problems.  In the
operating system arena, we were probably the first to embrace
the concept.  Many vendors, even of free software, still try
to hide issues from their users.<p>

Security information moves very fast in cracker circles.  On the other
hand, our experience is that coding and releasing of proper security
fixes typically requires about an hour of work -- very fast fix
turnaround is possible.  Thus we think that full disclosure helps the
people who really care about security.<p>

<a name="process"></a>
<li><h3><font color="#e00000">Audit Process</font></h3><p>

Our security auditing team typically has between six and twelve
members who continue to search for and fix new security holes.  We
have been auditing since the summer of 1996.  The process we follow to
increase security is simply a comprehensive file-by-file analysis of
every critical software component.  We are not so much looking for
security holes, as we are looking for basic software bugs, and if
years later someone discovers the problem used to be a security
issue, and we fixed it because it was just a bug, well, all the
better.  Flaws have been found in just about every area of the system.
Entire new classes of security problems have been found during our
audit, and often source code which had been audited earlier needs
re-auditing with these new flaws in mind.  Code often gets audited
multiple times, and by multiple people with different auditing
skills.<p>

Some members of our security auditing team worked for Secure Networks,
the company that made the industry's premier network security scanning
software package Ballista (Secure Networks got purchased by Network
Associates, Ballista got renamed to Cybercop Scanner, and well...)
That company did a lot of security research, and thus fit in well
with the OpenBSD stance.  OpenBSD passed Ballista's tests with flying
colours since day 1.<p>

Another facet of our security auditing process is its proactiveness.
In most cases we have found that the determination of exploitability
is not an issue.  During our ongoing auditing process we find many
bugs, and endeavor to fix them even though exploitability is not
proven.  We fix the bug, and we move on to find other bugs to fix.  We
have fixed many simple and obvious careless programming errors in code
and only months later discovered that the problems were in fact
exploitable.  (Or, more likely someone on
<a href="http://online.securityfocus.com/archive/1">BUGTRAQ</a>
would report that other operating systems were vulnerable to a `newly
discovered problem', and then it would be discovered that OpenBSD had
been fixed in a previous release).  In other cases we have been saved
from full exploitability of complex step-by-step attacks because we
had fixed one of the intermediate steps.  An example of where we
managed such a success is the lpd advisory that Secure Networks put out.
<p>

<a name="newtech"></a>
<li><h3><font color="#e00000">New Technologies</font></h3><p>

As we audit source code, we often invent new ways of solving problems.
Sometimes these ideas have been used before in some random application
written somewhere, but perhaps not taken to the degree that we do.
<p>

<ul>
  <li>strlcpy() and strlcat()
  <li>Memory protection purify
    <ul>
    <li>W^X
    <li>.rodata segment
    <li>Guard pages
    <li>Randomized malloc()
    <li>Randomized mmap()
    <li>atexit() and stdio protection
    </ul>
  <li>Privilege separation
  <li>Privilege revocation
  <li>Chroot jailing
  <li>New uids
  <li>ProPolice
  <li>... and others
</ul>
<p>

<li><h3><font color="#e00000">The Reward</font></h3><p>

Our proactive auditing process has really paid off.  Statements like
``This problem was fixed in OpenBSD about 6 months ago'' have become
commonplace in security forums like
<a href="http://online.securityfocus.com/archive/1">BUGTRAQ</a>.<p>

The most intense part of our security auditing happened immediately
before the OpenBSD 2.0 release and during the 2.0-&gt;2.1 transition,
over the last third of 1996 and first half of 1997.  Thousands (yes,
thousands) of security issues were fixed rapidly over this year-long
period; bugs like the standard buffer overflows, protocol
implementation weaknesses, information gathering, and filesystem
races.  Hence most of the security problems that we encountered were
fixed before our 2.1 release, and then a far smaller number needed
fixing for our 2.2 release.  We do not find as many problems anymore,
it is simply a case of diminishing returns.  Recently the security
problems we find and fix tend to be significantly more obscure or
complicated.  Still we will persist for a number of reasons:<p>

<ul>
<li>Occasionally we find a simple problem we missed earlier. Doh!
<li>Security is like an arms race; the best attackers will continue
	to search for more complicated exploits, so we will too.
<li>Finding and fixing subtle flaws in complicated software is
	a lot of fun.
</ul>
<p>

The auditing process is not over yet, and as you can see we continue
to find and fix new security flaws.<p>

<a name="default"></a>
<li><h3><font color="#e00000">"Secure by Default"</font></h3><p>

To ensure that novice users of OpenBSD do not need to become security
experts overnight (a viewpoint which other vendors seem to have), we
ship the operating system in a Secure by Default mode.  All non-essential
services are disabled.  As the user/administrator becomes more familiar
with the system, he will discover that he has to enable daemons and other
parts of the system.  During the process of learning how to enable a new
service, the novice is more likely to learn of security considerations.<p>

This is in stark contrast to the increasing number of systems that
ship with NFS, mountd, web servers, and various other services enabled
by default, creating instantaneous security problems for their users
within minutes after their first install.<p>

<a name="crypto"></a>
<li><h3><font color="#e00000">Cryptography</font></h3><p>

And of course, since the OpenBSD project is based in Canada, it is possible
for us to integrate cryptography.  For more information, read the page
outlining <a href=crypto.html>what we have done with cryptography</a>.</p>

<li><h3><font color="#e00000">Advisories</font></h3><p>

<li>
<a name="43"></a>

<h3><font color="#e00000">OpenBSD 4.3 Security Advisories</font></h3>
These are the OpenBSD 4.3 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a> and the
<a href=stable.html>patch branch</a>.

<p>
<ul>
<li><a href="errata43.html#004_bind">July 23, 2008:
	A vulnerability has been found with BIND.</a>
<li><a href="errata43.html#003_xorg">July 15, 2008:
	Multiple vulnerabilities in X.Org.</a>
<li><a href="errata43.html#002_openssh2">April 3, 2008:
	sshd(8) could possibly allow hijacking of X11-forwarded connections.</a>
<li><a href="errata43.html#001_openssh">March 30, 2008:
	sshd(8) could allow arbitrary commands to be executed via ~/.ssh/rc
	when a sshd_config(5) ForceCommand directive was in effect.</a>
</ul>


<li>
<a name="42"></a>

<h3><font color="#e00000">OpenBSD 4.2 Security Advisories</font></h3>
These are the OpenBSD 4.2 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a> and the
<a href=stable.html>patch branch</a>.

<p>
<ul>
<li><a href="errata42.html#013_bind">July 23, 2008:
	A vulnerability has been found with BIND.</a>
<li><a href="errata42.html#012_xorg2">July 15, 2008:
	Multiple vulnerabilities in X.Org.</a>
<li><a href="errata42.html#011_openssh2">April 3, 2008:
	sshd(8) could possibly allow hijacking of X11-forwarded connections.</a>
<li><a href="errata42.html#010_openssh">March 30, 2008:
	sshd(8) could allow arbitrary commands to be executed via ~/.ssh/rc
	when a sshd_config(5) ForceCommand directive was in effect.</a>
<li><a href="errata42.html#009_ppp">March 7, 2008:
	Command prompt parsing buffer overflow in ppp.</a>
<li><a href="errata42.html#006_xorg">Feb 8, 2008:
	Multiple vulnerabilities in X.Org.</a>
<li><a href="errata42.html#005_ifrtlabel">Jan 11, 2008:
	A missing NULL pointer check can lead to a kernel panic.</a>
<li><a href="errata42.html#004_pf">Nov 27, 2007:
	A memory leak in pf can lead to machine lockups.</a>
<li><a href="errata42.html#002_openssl">Oct 10, 2007:
	Fix off-by-one overflow in OpenSSL.</a>
<li><a href="errata42.html#001_dhcpd">Oct 9, 2007:
	Fix stack corruption problem in dhcpd(8).</a>
</ul>

<li>
<a name="41"></a>

<h3><font color="#e00000">OpenBSD 4.1 Security Advisories</font></h3>
These are the OpenBSD 4.1 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a> and the
<a href=stable.html>patch branch</a>.

<p>
<ul>
<li><a href="errata41.html#016_openssh2">April 3, 2008:
	sshd(8) could possibly allow hijacking of X11-forwarded connections.</a>
<li><a href="errata41.html#015_openssh">March 30, 2008:
	sshd(8) could allow arbitrary commands to be executed via ~/.ssh/rc
	when a sshd_config(5) ForceCommand directive was in effect.</a>
<li><a href="errata41.html#014_ppp">March 7, 2008:
	Command prompt parsing buffer overflow in ppp.</a>
<li><a href="errata41.html#012_xorg">Feb 8, 2008:
	Multiple vulnerabilities in X.Org.</a>
<li><a href="errata41.html#011_openssl">Oct 10, 2007:
	The SSL_get_shared_ciphers() function in OpenSSL contains
	an off-by-one overflow.</a>
<li><a href="errata41.html#010_dhcpd">Oct 9, 2007:
	Fix stack corruption problem in dhcpd(8).</a>
<li><a href="errata41.html#009_file">Jul 9, 2007:
	Fix possible heap overflow in file(1).</a>
<li><a href="errata41.html#005_route6">Apr 27, 2007:
	IPv6 type 0 route headers can be used to mount a DoS attack
	against hosts and networks.</a>
<li><a href="errata41.html#004_xorg">Apr 27, 2007:
	Multiple vulnerabilities in X.Org.</a>
<li><a href="errata41.html#001_mbuf">Apr 27, 2007:
	Incorrect mbuf handling for ICMP6 packets.</a>
</ul>

<p>
OpenBSD 4.0 and earlier releases are not supported anymore. The following
paragraphs only list advisories issued while they were maintained; these
releases are likely to be affected by the advisories for more recent releases.
<br>

<li>
<a name="40"></a>
<h3><font color="#e00000">OpenBSD 4.0 Security Advisories</font></h3>
These are the OpenBSD 4.0 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a> and the
<a href=stable.html>patch branch</a>.

<p>
<ul>
<li><a href="errata40.html#016_dhcpd">Oct 9, 2007:
	Fix stack corruption problem in dhcpd(8).</a>
<li><a href="errata40.html#015_file">Jul 9, 2007:
	Fix possible heap overflow in file(1).</a>
<li><a href="errata40.html#012_route6">Apr 23, 2007:
	IPv6 type 0 route headers can be used to mount a DoS attack
	against hosts and networks.</a>
<li><a href="errata40.html#011_xorg">Apr 4, 2007:
	Multiple vulnerabilities in X.Org.</a>
<li><a href="errata40.html#m_dup1">Mar 7, 2007:
	Incorrect mbuf handling for ICMP6 packets.</a>
<li><a href="errata40.html#agp">Jan 3, 2007:
	Insufficient validation in vga(4) may allow an attacker to gain
	root privileges on some i386 systems.</a>
<li><a href="errata40.html#ldso">Nov 19, 2006:
	ld.so(1) fails to properly sanitize the environment.</a>
<li><a href="errata40.html#systrace">Nov 4, 2006:
	Fix for an integer overflow in systrace(4)'s STRIOCREPLACE support,
	found by Chris Evans.</a>
<li><a href="errata40.html#openssl">Nov 4, 2006:
	Several problems have been found in OpenSSL.</a>
<li><a href="errata40.html#httpd">Nov 4, 2006:
	httpd(8) does not sanitize the Expect header from an HTTP request
	when it is reflected back in an error message, which might allow
	cross-site scripting (XSS) style attacks.</a>
</ul>

<li>
<a name="39"></a>

<h3><font color="#e00000">OpenBSD 3.9 Security Advisories</font></h3>
These are the OpenBSD 3.9 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a> and the
<a href=stable.html>patch branch</a>.

<p>
<ul>
<li><a href="errata39.html#022_route6">Apr 23, 2007:
	IPv6 type 0 route headers can be used to mount a DoS attack
	against hosts and networks.</a>
<li><a href="errata39.html#021_xorg">Apr 4, 2007:
	Multiple vulnerabilities in X.Org.</a>
<li><a href="errata39.html#m_dup1">Mar 7, 2007:
	Incorrect mbuf handling for ICMP6 packets.</a>
<li><a href="errata39.html#agp">Jan 3, 2007:
	Insufficient validation in vga(4) may allow an attacker to gain
	root privileges on some i386 systems.</a>
<li><a href="errata39.html#ldso">Nov 19, 2006:
	ld.so(1) fails to properly sanitize the environment.</a>
<li><a href="errata39.html#ssh">Oct 12, 2006:
	Fix 2 security bugs found in OpenSSH.</a>
<li><a href="errata39.html#systrace">Oct 7, 2006:
	Fix for an integer overflow in systrace(4)'s STRIOCREPLACE support,
	found by Chris Evans.</a>
<li><a href="errata39.html#openssl2">Oct 7, 2006:
	Several problems have been found in OpenSSL.</a>
<li><a href="errata39.html#httpd2">Oct 7, 2006:
	httpd(8) does not sanitize the Expect header from an HTTP request
	when it is reflected back in an error message, which might allow
	cross-site scripting (XSS) style attacks.</a>
<li><a href="errata39.html#openssl">Sep 8, 2006:
	Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is
	possible for an attacker to construct an invalid signature which
	OpenSSL would accept as a valid PKCS#1 v1.5 signature.</a>
<li><a href="errata39.html#bind">Sep 8, 2006:
	Two Denial of Service issues have been found with BIND.</a>
<li><a href="errata39.html#sppp">Sep 2, 2006:
	Due to the failure to correctly validate LCP configuration option
	lengths, it is possible for an attacker to send LCP packets via an
	sppp(4) connection causing the kernel to panic.</a>
<li><a href="errata39.html#isakmpd">Aug 25, 2006:
	A problem in isakmpd(8) caused IPsec to run partly without replay
	protection.</a>
<li><a href="errata39.html#sem">Aug 25, 2006:
	It is possible to cause the kernel to panic when more than the default
	number of sempahores have been allocated.</a>
<li><a href="errata39.html#dhcpd">Aug 25, 2006:
	Due to an off-by-one error in dhcpd(8) it is possible to cause dhcpd(8)
	to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier
	option.</a>
<li><a href="errata39.html#sendmail3">Aug 25, 2006:
	A potential denial of service problem has been found in sendmail.</a>
<li><a href="errata39.html#httpd">Jul 30, 2006:
	httpd(8)'s mod_rewrite has a potentially exploitable off-by-one buffer
	overflow.</a>
<li><a href="errata39.html#sendmail2">Jun 15, 2006:
	A potential denial of service problem has been found in sendmail.</a>
<li><a href="errata39.html#xorg">May 2, 2006:
	A buffer overflow exists in the Render extension of the X server.</a>
<li><a href="errata39.html#sendmail">Mar 25, 2006:
	A race condition has been reported to exist in the handling by sendmail
	of asynchronous signals.</a>
</ul>

<li>
<a name="38"></a>

<h3><font color="#e00000">OpenBSD 3.8 Security Advisories</font></h3>
These are the OpenBSD 3.8 advisories -- all these problems are solved 
in <a href=anoncvs.html>OpenBSD current</a> and the
<a href=stable.html>patch branch</a>.

<p>
<ul>
<li><a href="errata38.html#ssh2">Oct 12, 2006:
	Fix 2 security bugs found in OpenSSH.</a>
<li><a href="errata38.html#systrace">Oct 7, 2006:
	Fix for an integer overflow in systrace(4)'s STRIOCREPLACE support,
	found by Chris Evans.</a>
<li><a href="errata38.html#openssl2">Oct 7, 2006:
	Several problems have been found in OpenSSL.</a>
<li><a href="errata38.html#httpd2">Oct 7, 2006:
	httpd(8) does not sanitize the Expect header from an HTTP request
	when it is reflected back in an error message, which might allow
	cross-site scripting (XSS) style attacks.</a>
<li><a href="errata38.html#openssl">Sep 8, 2006:
	Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is
	possible for an attacker to construct an invalid signature which
	OpenSSL would accept as a valid PKCS#1 v1.5 signature.</a>
<li><a href="errata38.html#bind">Sep 8, 2006:
	Two Denial of Service issues have been found with BIND.</a>
<li><a href="errata38.html#sppp">Sep 2, 2006:
	Due to the failure to correctly validate LCP configuration option
	lengths, it is possible for an attacker to send LCP packets via an
	sppp(4) connection causing the kernel to panic.</a>
<li><a href="errata38.html#isakmpd">Aug 25, 2006:
	A problem in isakmpd(8) caused IPsec to run partly without replay
	protection.</a>
<li><a href="errata38.html#sem">Aug 25, 2006:
	It is possible to cause the kernel to panic when more than the default
	number of sempahores have been allocated.</a>
<li><a href="errata38.html#dhcpd">Aug 25, 2006:
	Due to an off-by-one error in dhcpd(8) it is possible to cause dhcpd(8)
	to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier
	option.</a>
<li><a href="errata38.html#sendmail3">Aug 25, 2006:
	A potential denial of service problem has been found in sendmail.</a>
<li><a href="errata38.html#httpd">Jul 30, 2006:
	httpd(8)'s mod_rewrite has a potentially exploitable off-by-one buffer
	overflow.</a>
<li><a href="errata38.html#sendmail2">Jun 15, 2006:
	A potential denial of service problem has been found in sendmail.</a>
<li><a href="errata38.html#xorg">May 2, 2006:
	A buffer overflow exists in the Render extension of the X server.</a>
<li><a href="errata38.html#sendmail">Mar 25, 2006:
	A race condition has been reported to exist in the handling by sendmail
	of asynchronous signals.</a>
<li><a href="errata38.html#ssh">Feb 12, 2006:
	Josh Bressers has reported a weakness in OpenSSH caused due to the
	insecure use of the system(3) function in scp(1) when performing copy
	operations using filenames that are supplied by the user from the
	command line.</a>
<li><a href="errata38.html#fd">Jan 5, 2006:
	Do not allow users to trick suid programs into re-opening files via
	/dev/fd.</a>
<li><a href="errata38.html#perl">Jan 5, 2006:
	A buffer overflow has been found in the Perl interpreter with the
	sprintf function which may be exploitable under certain conditions.</a>
</ul>

<li>
<a name="37"></a>

<h3><font color="#e00000">OpenBSD 3.7 Security Advisories</font></h3>
These are the OpenBSD 3.7 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The
<a href="stable.html">patch branch</a> for 3.7 is no longer being maintained,
you should update your machine.

<p>
<ul>
<li><a href="errata37.html#xorg">May 2, 2006:
	A buffer overflow exists in the Render extension of the X server.</a>
<li><a href="errata37.html#sendmail">Mar 25, 2006:
	A race condition has been reported to exist in the handling by sendmail
	of asynchronous signals.</a>
<li><a href="errata37.html#ssh">Feb 12, 2006:
	Josh Bressers has reported a weakness in OpenSSH caused due to the
	insecure use of the system(3) function in scp(1) when performing copy
	operations using filenames that are supplied by the user from the
	command line.</a>
<li><a href="errata37.html#fd">Jan 5, 2006:
	Do not allow users to trick suid programs into re-opening files via
	/dev/fd.</a>
<li><a href="errata37.html#perl">Jan 5, 2006:
	A buffer overflow has been found in the Perl interpreter with the
	sprintf function which may be exploitable under certain conditions.</a>
<li><a href="errata37.html#libz2">Jul 21, 2005:
	Fix another buffer overflow in the zlib library that may be exploitable.</a>
<li><a href="errata37.html#libz">Jul 6, 2005:
	Fix a buffer overflow in the zlib library that may be exploitable.</a>
<li><a href="errata37.html#sudo">Jun 20, 2005:
	Fix a race condition in sudo(8) that could allow a user
	to run arbitrary commands.</a>
<li><a href="errata37.html#cvs">Jun 7, 2005:
        Fix a buffer overflow, memory leaks, and NULL pointer
        dereference in cvs(1).</a>
</ul>

<li>
<a name="36"></a>

<h3><font color="#e00000">OpenBSD 3.6 Security Advisories</font></h3>
These are the OpenBSD 3.6 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The
<a href="stable.html">patch branch</a> for 3.6 is no longer being maintained,
you should update your machine.

<p>
<ul>
<li><a href="errata36.html#libz2">Jul 21, 2005:
	Fix another buffer overflow in the zlib library that may be exploitable.</a>
<li><a href="errata36.html#libz">Jul 6, 2005:
	Fix a buffer overflow in the zlib library that may be exploitable.</a>
<li><a href="errata36.html#sudo">Jun 20, 2005:
	Fix a race condition in sudo(8) that could allow a user
	to run arbitrary commands.</a>
<li><a href="errata36.html#cvs">Apr 28, 2005:
        Fix a buffer overflow, memory leaks, and NULL pointer
        dereference in cvs(1).</a>
<li><a href="errata36.html#telnet">Mar 30, 2005:
        Due to buffer overflows in telnet(1), a malicious
        server or man-in-the-middle attack could allow
        execution of arbitrary code with the privileges of
        the user invoking telnet(1).</a>
<li><a href="errata36.html#copy">Mar 16, 2005:
        More stringent checking should be done in the copy(9)
        functions to prevent their misuse.</a>
<li><a href="errata36.html#locore">Feb 28, 2005:
        More stringent checking should be done in the copy(9)
        functions to prevent their misuse.</a>
<li><a href="errata36.html#httpd">Jan 12, 2005:
        httpd(8)'s mod_include module fails to properly validate
        the length of user supplied tag strings prior to copying
        them to a local buffer, causing a buffer overflow.</a>
<li><a href="errata36.html#pfkey">Dec 14, 2004:
        On systems running isakmpd(8) it is possible for a local
        user to cause kernel memory corruption and system panic by
        setting ipsec(4) credentials on a socket.</a>
</ul>

<li>
<a name="35"></a>

<h3><font color="#e00000">OpenBSD 3.5 Security Advisories</font></h3>
These are the OpenBSD 3.5 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The
<a href="stable.html">patch branch</a> for 3.5 is no longer being maintained,
you should update your machine.

<p>
<ul>
<li><a href="errata35.html#cvs4">Apr 28, 2005:
        Fix a buffer overflow, memory leaks, and NULL pointer
        dereference in cvs(1).</a>
<li><a href="errata35.html#telnet">Mar 30, 2005:
        Due to buffer overflows in telnet(1), a malicious
        server or man-in-the-middle attack could allow
        execution of arbitrary code with the privileges of
        the user invoking telnet(1).</a>
<li><a href="errata35.html#copy">Mar 16, 2005:
        More stringent checking should be done in the copy(9)
        functions to prevent their misuse.</a>
<li><a href="errata35.html#locore">Feb 28, 2005:
        More stringent checking should be done in the copy(9)
        functions to prevent their misuse.</a>
<li><a href="errata35.html#httpd3">Jan 12, 2005:
        httpd(8)'s mod_include module fails to properly validate
        the length of user supplied tag strings prior to copying
        them to a local buffer, causing a buffer overflow.</a>
<li><a href="errata35.html#pfkey">Dec 14, 2004:
        On systems running isakmpd(8) it is possible for a local
        user to cause kernel memory corruption and system panic by
        setting ipsec(4) credentials on a socket.</a>
<li><a href="errata35.html#radius">Sep 20, 2004:
	Radius-based authentication is vulnerable to spoofed replies.</a>
<li><a href="errata35.html#xpm">Sep 16, 2004:
	The Xpm library has vulnerabilities when parsing malicious images.</a>
<li><a href="errata35.html#httpd2"> Sep 10, 2004:
	httpd(8)'s mod_rewrite module can be made to write one zero byte in
	an arbitrary memory position outside of a char array, causing a DoS
	or possibly buffer overflows.</a>
<li><a href="errata35.html#httpd"> Jun 12, 2004:
	Multiple vulnerabilities have been found in httpd(8) / mod_ssl.</a>
<li><a href="errata35.html#isakmpd"> Jun 10, 2004:
	isakmpd(8) still has issues with unauthorized SA deletion,
	an attacker can delete IPsec tunnels at will.</a>
<li><a href="errata35.html#cvs3"> Jun 9, 2004:
	Multiple remote vulnerabilities have been found in the cvs(1)
	server which can be used by CVS clients to crash or execute
	arbitrary code on the server.</a>
<li><a href="errata35.html#kerberos"> May 30, 2004:
	kdc(8) performs inadequate checking of request fields, leading
	to the possibility of principal impersonation from other
	Kerberos realms if they	are trusted with a cross-realm trust.</a>
<li><a href="errata35.html#xdm"> May 26, 2004:
	xdm(1) ignores the requestPort resource and creates a 
        listening socket regardless of the setting in xdm-config.</a>
<li><a href="errata35.html#cvs2"> May 20, 2004:
	A buffer overflow in the cvs(1) server has been found,
	which can be used by CVS clients to execute arbitrary code on
	the server.</a>
<li><a href="errata35.html#procfs"> May 13, 2004:
	Integer overflow problems were found in procfs, allowing
	reading of arbitrary kernel memory.</a>
<li><a href="errata35.html#cvs"> May 5, 2004:
	Pathname validation problems have been found in cvs(1),
	allowing clients and servers access to files outside the
	repository or local CVS tree.</a>
</ul>

<p>
<li>
<a name="34"></a>

<h3><font color="#e00000">OpenBSD 3.4 Security Advisories</font></h3>
These are the OpenBSD 3.4 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The
<a href="stable.html">patch branch</a> for 3.4 is no longer being maintained,
you should update your machine.
<p>
<ul>
<li><a href="errata34.html#pfkey">Dec 14, 2004:
        On systems running isakmpd(8) it is possible for a local
        user to cause kernel memory corruption and system panic by
        setting ipsec(4) credentials on a socket.</a>
<li><a href="errata34.html#xpm">Sep 16, 2004:
	The Xpm library has vulnerabilities when parsing malicious images.</a>
<li><a href="errata34.html#httpd4"> Sep 10, 2004:
	httpd(8)'s mod_rewrite module can be made to write one zero byte in
	an arbitrary memory position outside of a char array, causing a DoS
	or possibly buffer overflows.</a>
<li><a href="errata34.html#httpd3"> Jun 12, 2004:
        Multiple vulnerabilities have been found in httpd(8) / mod_ssl.</a>
<li><a href="errata34.html#isakmpd3"> Jun 10, 2004:
        isakmpd(8) still has issues with unauthorized SA deletion,
        an attacker can delete IPsec tunnels at will.</a>
<li><a href="errata34.html#cvs3"> Jun 9, 2004:
	Multiple remote vulnerabilities have been found in the cvs(1)
	server which can be used by CVS clients to crash or execute
	arbitrary code on the server.</a>
<li><a href="errata34.html#kerberos"> May 30, 2004:
	kdc(8) performs inadequate checking of request fields, leading
	to the possibility of principal impersonation from other
	Kerberos realms if they	are trusted with a cross-realm trust.</a>
<li><a href="errata34.html#cvs2"> May 20, 2004:
	A buffer overflow in the cvs(1) server has been found,
	which can be used by CVS clients to execute arbitrary code on
	the server.</a>
<li><a href="errata34.html#procfs"> May 13, 2004:
	Integer overflow problems were found in procfs, allowing
	reading of arbitrary kernel memory.</a>
<li><a href="errata34.html#cvs"> May 5, 2004:
	Pathname validation problems have been found in cvs(1),
	allowing clients and servers access to files outside the
	repository or local CVS tree.</a>
<li><a href="errata34.html#openssl"> March 17, 2004:
	A missing check for a NULL-pointer dereference may allow a
	remote attacker to crash applications using OpenSSL.</a>
<li><a href="errata34.html#isakmpd2"> March 17, 2004:
	Defects in the payload validation and processing functions of
	isakmpd have been discovered. An attacker could send malformed
	ISAKMP messages and cause isakmpd to crash or to loop endlessly.</a>
<li><a href="errata34.html#httpd2"> March 13, 2004:
	Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s
	access module, using IP addresses without a netmask on big endian
	64-bit platforms causes the rules to fail to match.</a>
<li><a href="errata34.html#ip6"> February 8, 2004:
	An IPv6 MTU handling problem exists that could be used by an
	attacker to cause a denial of service attack.</a>
<li><a href="errata34.html#sysvshm"> February 5, 2004:
	A reference counting bug in shmat(2) could be used to write to
	kernel memory under certain circumstances.</a>
<li><a href="errata34.html#isakmpd">January 13, 2004:
	Several message handling flaws in isakmpd(8) have been reported
	by Thomas Walpuski.</a>
<li><a href="errata34.html#ibcs2">November 17, 2003:
	It may be possible for a local user to overrun the stack in
	compat_ibcs2(8) and cause a kernel panic.</a>
<li><a href="errata34.html#asn1">November 1, 2003:
	The use of certain ASN.1 encodings or malformed public keys may
	allow an attacker to mount a denial of service attack against
	applications linked with ssl(3).</a>
</ul>

<li>
<a name="33"></a>

<h3><font color="#e00000">OpenBSD 3.3 Security Advisories</font></h3>
These are the OpenBSD 3.3 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The
<a href="stable.html">patch branch</a> for 3.3 is no longer being maintained,
you should update your machine.
<p>
<ul>
<li><a href="errata33.html#cvs"> May 5, 2004:
	Pathname validation problems have been found in cvs(1),
	allowing clients and servers access to files outside the
	repository or local CVS tree.</a>
<li><a href="errata33.html#openssl"> March 17, 2004:
	A missing check for a NULL-pointer dereference may allow a
	remote attacker to crash applications using OpenSSL.</a>
<li><a href="errata33.html#isakmpd2"> March 17, 2004:
	Defects in the payload validation and processing functions of
	isakmpd have been discovered. An attacker could send malformed
	ISAKMP messages and cause isakmpd to crash or to loop endlessly.</a>
<li><a href="errata33.html#httpd2"> March 13, 2004:
	Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s
	access module, using IP addresses without a netmask on big endian
	64-bit platforms causes the rules to fail to match.</a>
<li><a href="errata33.html#ip6"> February 8, 2004:
	An IPv6 MTU handling problem exists that could be used by an
	attacker to cause a denial of service attack.</a>
<li><a href="errata33.html#sysvshm"> February 5, 2004:
	A reference counting bug in shmat(2) could be used to write to
	kernel memory under certain circumstances.</a>
<li><a href="errata33.html#isakmpd">January 15, 2004:
        Several message handling flaws in isakmpd(8) have been reported
        by Thomas Walpuski.</a>
<li><a href="errata33.html#ibcs2">November 17, 2003:
	It may be possible for a local user to execute arbitrary code 
	resulting in escalation of privileges due to a stack overrun 
	in compat_ibcs2(8).</a>
<li><a href="errata33.html#asn1">October 1, 2003:
	The use of certain ASN.1 encodings or malformed public keys may
	allow an attacker to mount a denial of service attack against
	applications linked with ssl(3).</a>
<li><a href="errata33.html#pfnorm">September 24, 2003:
	Access of freed memory in pf(4) could be used to 
	remotely panic a machine using scrub rules.</a>
<li><a href="errata33.html#sendmail">September 17, 2003:
	A buffer overflow in the address parsing in
	sendmail(8) may allow an attacker to gain root privileges.</a>
<li><a href="errata33.html#sshbuffer">September 16, 2003:
	OpenSSH versions prior to 3.7 contains a buffer management error
	that is potentially exploitable.</a>
<li><a href="errata33.html#sysvsem">September 10, 2003:
	Root may be able to reduce the security level by taking advantage of
	an integer overflow when the semaphore limits are made very large.</a>
<li><a href="errata33.html#semget">August 20, 2003:
	An improper bounds check in the kernel may allow a local user
	to panic the kernel.</a>
<li><a href="errata33.html#realpath">August 4, 2003:
	An off-by-one error exists in the C library function realpath(3)
	may allow an attacker to gain escalated privileges.</a>
</ul>


<p>
<li>
<a name="32"></a>

<h3><font color="#e00000">OpenBSD 3.2 Security Advisories</font></h3>
These are the OpenBSD 3.2 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The
<a href="stable.html">patch branch</a> for 3.2 is no longer being maintained,
you should update your machine.
<p>
<ul>
<li><a href="errata32.html#asn1">October 1, 2003:
	The use of certain ASN.1 encodings or malformed public keys may
	allow an attacker to mount a denial of service attack against
	applications linked with ssl(3).  This does not affect OpenSSH.</a>
<li><a href="errata32.html#pfnorm">September 24, 2003:
	Access of freed memory in pf(4) could be used to 
	remotely panic a machine using scrub rules.</a>
<li><a href="errata32.html#sendmail4">September 17, 2003:
	A buffer overflow in the address parsing in
	sendmail(8) may allow an attacker to gain root privileges.</a>
<li><a href="errata32.html#sshbuffer">September 16, 2003:
	OpenSSH versions prior to 3.7 contains a buffer management error
	that is potentially exploitable.</a>
<li><a href="errata32.html#sendmail3">August 25, 2003:
        Fix for a potential security issue in
        sendmail(8) with respect to DNS maps.</a>
<li><a href="errata32.html#realpath">August 4, 2003:
	An off-by-one error exists in the C library function realpath(3)
	may allow an attacker to gain escalated privileges.</a>
<li><a href="errata32.html#sendmail2">March 31, 2003:
	A buffer overflow in the address parsing in
	sendmail(8) may allow an attacker to gain root privileges.</a>
<li><a href="errata32.html#kerberos">March 24, 2003:
	A cryptographic weaknesses in the Kerberos v4 protocol can be
	exploited on Kerberos v5 as well.</a>
<li><a href="errata32.html#kpr">March 19, 2003:
	OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack
	designed by Czech researchers Klima, Pokorny and Rosa.</a>
<li><a href="errata32.html#blinding">March 18, 2003:
	Various SSL and TLS operations in OpenSSL are vulnerable to
	timing attacks.</a>
<li><a href="errata32.html#lprm">March 5, 2003:
	A buffer overflow in lprm(1) may allow an attacker to elevate
	privileges to user daemon.</a>.
<li><a href="errata32.html#sendmail">March 3, 2003:
	A buffer overflow in the envelope comments processing in
	sendmail(8) may allow an attacker to gain root privileges.</a>
<li><a href="errata32.html#httpd">February 25, 2003:
	httpd(8) leaks file inode numbers via ETag header as well as
	child PIDs in multipart MIME boundary generation. This could
	lead, for example, to NFS exploitation because it uses inode
	numbers as part of the file handle.</a>
<li><a href="errata32.html#ssl">February 22, 2003:
	In ssl(8) an information leak can occur via timing by performing
	a MAC computation even if incorrect block cipher padding has 
	been found, this is a countermeasure. Also, check for negative
	sizes, in allocation routines.</a>
<li><a href="errata32.html#cvs">January 20, 2003:
	A double free exists in cvs(1) that could lead to privilege
	escalation for cvs configurations where the cvs command is
	run as a privileged user.</a>
<li><a href="errata32.html#named">November 14, 2002:
	A buffer overflow exists in named(8) that could lead to a
	remote crash or code execution as user named in a chroot jail.</a>
<li><a href="errata32.html#pool">November 6, 2002:
	A logic error in the pool kernel memory allocator could cause
	memory corruption in low-memory situations, causing the system
	to crash.</a>
<li><a href="errata32.html#smrsh">November 6, 2002:
	An attacker can bypass smrsh(8)'s restrictions and execute
	arbitrary commands with the privileges of his own account.</a>
<li><a href="errata32.html#pfbridge">November 6, 2002:
	Network bridges running pf with scrubbing enabled could cause
	mbuf corruption, causing the system to crash.</a>
<li><a href="errata32.html#kadmin">October 21, 2002:
	A buffer overflow can occur in the kadmind(8) daemon, leading
	to possible remote crash or exploit.</a>
</ul>

<p>
<li>
<a name="31"></a>

<h3><font color="#e00000">OpenBSD 3.1 Security Advisories</font></h3>
These are the OpenBSD 3.1 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The 
<a href="stable.html">patch branch</a> for 3.1 is no longer being maintained,
you should update your machine.

<p>
<ul>
<li><a href="errata31.html#sendmail2">March 31, 2003:
	A buffer overflow in the address parsing in
	sendmail(8) may allow an attacker to gain root privileges.</a>
<li><a href="errata31.html#kerberos">March 24, 2003:
	A cryptographic weaknesses in the Kerberos v4 protocol can be
	exploited on Kerberos v5 as well.</a>
<li><a href="errata31.html#kpr">March 19, 2003:
	OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack
	designed by Czech researchers Klima, Pokorny and Rosa.</a>
<li><a href="errata31.html#blinding">March 18, 2003:
	Various SSL and TLS operations in OpenSSL are vulnerable to
	timing attacks.</a>
<li><a href="errata31.html#lprm">March 4, 2003:
	A buffer overflow in lprm(1) may allow an attacker to gain
	root privileges.</a>
<li><a href="errata31.html#sendmail">March 3, 2003:
	A buffer overflow in the envelope comments processing in
	sendmail(8) may allow an attacker to gain root privileges.</a>
<li><a href="errata31.html#ssl2">February 23, 2003:
	In ssl(8) an information leak can occur via timing by performing
	a MAC computation even if incorrect block cipher padding has 
	been found, this is a countermeasure. Also, check for negative
	sizes, in allocation routines.</a>
<li><a href="errata31.html#cvs">January 20, 2003:
	A double free exists in cvs(1) that could lead to privilege
	escalation for cvs configurations where the cvs command is
	run as a privileged user</a>.
<li><a href="errata31.html#named">November 14, 2002:
	A buffer overflow exists in named(8) that could lead to a
	remote crash or code execution as user named in a chroot jail.</a>
<li><a href="errata31.html#kernresource">November 6, 2002:
	Incorrect argument checking in the getitimer(2) system call
	may allow an attacker to crash the system.</a>
<li><a href="errata31.html#smrsh">November 6, 2002:
	An attacker can bypass smrsh(8)'s restrictions and execute
	arbitrary commands with the privileges of his own account.</a>
<li><a href="errata31.html#kadmin">October 21, 2002:
	A buffer overflow can occur in the kadmind(8) daemon, leading
	to possible remote crash or exploit.</a>
<li><a href="errata31.html#kerntime">October 2, 2002:
	Incorrect argument checking in the setitimer(2) system call
	may allow an attacker to write to kernel memory.</a>
<li><a href="errata31.html#scarg">August 11, 2002:
	An insufficient boundary check in the select system call
	allows an attacker to overwrite kernel memory and execute arbitrary code
	in kernel context.</a>
<li><a href="errata31.html#ssl">July 30, 2002:
	Several remote buffer overflows can occur in the SSL2 server and SSL3
	client of the ssl(8) library, as in the ASN.1 parser code in the
	crypto(3) library, all of them being potentially remotely
	exploitable.</a>
<li><a href="errata31.html#xdr">July 29, 2002:
	A buffer overflow can occur in the xdr_array(3) RPC code, leading to
	possible remote crash.</a>
<li><a href="errata31.html#pppd">July 29, 2002:
	A race condition exists in the pppd(8) daemon which may cause it to
	alter the file permissions of an arbitrary file.</a>
<li><a href="errata31.html#isakmpd">July 5, 2002:
	Receiving IKE payloads out of sequence can cause isakmpd(8) to
	crash.</a>
<li><a href="errata31.html#ktrace">June 27, 2002:
	The kernel would let any user ktrace set[ug]id processes.</a>
<li><a href="errata31.html#modssl">June 26, 2002:
	A buffer overflow can occur in the .htaccess parsing code in
	mod_ssl httpd module, leading to possible remote crash or exploit.</a>
<li><a href="errata31.html#resolver">June 25, 2002:
	A potential buffer overflow in the DNS resolver has been found.</a>
<li><a href="errata31.html#sshd">June 24, 2002:
	All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an
	input validation error that can result in an integer overflow and
	privilege escalation.</a>
<li><a href="errata31.html#httpd">June 19, 2002:
	A buffer overflow can occur during the interpretation of chunked
	encoding in httpd(8), leading to possible remote crash.</a>
<li><a href="errata31.html#sshbsdauth">May 22, 2002:
        Under certain conditions, on systems using YP with netgroups
        in the password database, it is possible that sshd(8) does
        ACL checks for the requested user name but uses the password
        database entry of a different user for authentication.  This
        means that denied users might authenticate successfully
        while permitted users could be locked out.</a>
<li><a href="errata31.html#fdalloc2">May 8, 2002:
	A race condition exists that could defeat the kernel's
	protection of fd slots 0-2 for setuid processes.</a>
<li><a href="errata31.html#sudo">April 25, 2002:
	A bug in sudo may allow an attacker to corrupt the heap.</a>
<li><a href="errata31.html#sshafs">April 22, 2002:
        A local user can gain super-user privileges due to a buffer
        overflow in sshd(8) if AFS has been configured on the system
        or if KerberosTgtPassing or AFSTokenPassing has been enabled
        in the sshd_config file.</a>
</ul>

<p>
<li>
<a name="30"></a>

<h3><font color="#e00000">OpenBSD 3.0 Security Advisories</font></h3>
These are the OpenBSD 3.0 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The
<a href="stable.html">patch branch</a> for 3.0 is no longer being maintained,
you should update your machine.

<p>
<ul>
<li><a href="errata30.html#named">November 14, 2002:
	A buffer overflow exists in named(8) that could lead to a
	remote crash or code execution as user named in a chroot jail.</a>
<li><a href="errata30.html#kernresource">November 6, 2002:
	Incorrect argument checking in the getitimer(2) system call
	may allow an attacker to crash the system.</a>
<li><a href="errata30.html#smrsh">November 6, 2002:
	An attacker can bypass smrsh(8)'s restrictions and execute
	arbitrary commands with the privileges of his own account.</a>
<li><a href="errata30.html#kadmin">October 21, 2002:
	A buffer overflow can occur in the kadmind(8) daemon, leading
	to possible remote crash or exploit.</a>
<li><a href="errata30.html#kerntime">October 7, 2002:
	Incorrect argument checking in the setitimer(2) system call
	may allow an attacker to write to kernel memory.</a>
<li><a href="errata30.html#scarg">August 11, 2002:
	An insufficient boundary check in the select and poll system calls
	allows an attacker to overwrite kernel memory and execute arbitrary code
	in kernel context.</a>
<li><a href="errata30.html#ssl">July 30, 2002:
	Several remote buffer overflows can occur in the SSL2 server and SSL3
	client of the ssl(8) library, as in the ASN.1 parser code in the
	crypto(3) library, all of them being potentially remotely
	exploitable.</a>
<li><a href="errata30.html#xdr">July 29, 2002:
	A buffer overflow can occur in the xdr_array(3) RPC code, leading to
	possible remote crash.</a>
<li><a href="errata30.html#pppd">July 29, 2002:
	A race condition exists in the pppd(8) daemon which may cause it to
	alter the file permissions of an arbitrary file.</a>
<li><a href="errata30.html#isakmpd2">July 5, 2002:
	Receiving IKE payloads out of sequence can cause isakmpd(8) to
	crash.</a>
<li><a href="errata30.html#ktrace">June 27, 2002:
	The kernel would let any user ktrace set[ug]id processes.</a>
<li><a href="errata30.html#resolver">June 25, 2002:
	A potential buffer overflow in the DNS resolver has been found.</a>
<li><a href="errata30.html#sshdauth">June 24, 2002:
	All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an
	input validation error that can result in an integer overflow and
	privilege escalation.</a>
<li><a href="errata30.html#modssl">June 24, 2002:
	A buffer overflow can occur in the .htaccess parsing code in
	mod_ssl httpd module, leading to possible remote crash or exploit.</a>
<li><a href="errata30.html#httpd">June 19, 2002:
	A buffer overflow can occur during the interpretation of chunked
	encoding in httpd(8), leading to possible remote crash.</a>
<li><a href="errata30.html#fdalloc2">May 8, 2002:
	A race condition exists that could defeat the kernel's
	protection of fd slots 0-2 for setuid processes.</a>
<li><a href="errata30.html#sudo2">April 25, 2002:
	A bug in sudo may allow an attacker to corrupt the heap.</a>
<li><a href="errata30.html#sshafs">April 22, 2002:
        A local user can gain super-user privileges due to a buffer
        overflow in sshd(8) if AFS has been configured on the system
        or if KerberosTgtPassing or AFSTokenPassing has been enabled
        in the sshd_config file.</a>
<li><a href="errata30.html#mail">April 11, 2002:
	The mail(1) was interpreting tilde escapes even when invoked
	in non-interactive mode.  As mail(1) is called as root from cron,
	this can lead to a local root compromise.</a>
<li><a href="errata30.html#approval">March 19, 2002:
	Under certain conditions, on systems using YP with netgroups in
	the password database, it is possible for the rexecd(8) and rshd(8)
	daemons to execute a shell from a password database entry for a
	different user. Similarly, atrun(8) may change to the wrong
	home directory when running jobs.</a>
<li><a href="errata30.html#zlib">March 13, 2002:
	A potential double free() exists in the zlib library;
	this is not exploitable on OpenBSD.
	The kernel also contains a copy of zlib; it is not
	currently known if the kernel zlib is exploitable.</a>
<li><a href="errata30.html#openssh">March 8, 2002:
	An off-by-one check in OpenSSH's channel forwarding code
	may allow a local user to gain super-user privileges.</a>
<li><a href="errata30.html#ptrace">January 21, 2002:
	A race condition between the ptrace(2) and execve(2) system calls
	allows an attacker to modify the memory contents of suid/sgid
	processes which could lead to compromise of the super-user account.</a>
<li><a href="errata30.html#sudo">January 17, 2002:
	There is a security hole in sudo(8) that can be exploited
	when the Postfix sendmail replacement is installed that may
	allow an attacker on the local host to gain root privileges.</a>
<li><a href="errata30.html#lpd">November 28, 2001:
	An attacker can trick a machine running the lpd daemon into
	creating new files in the root directory from a machine with
	remote line printer access.</a>
<li><a href="errata30.html#vi.recover">November 13, 2001:
	The vi.recover script can be abused in such a way as
	to cause arbitrary zero-length files to be removed.</a>
<li><a href="errata30.html#pf">November 13, 2001:
	pf(4) was incapable of dealing with certain ipv6 icmp packets,
	resulting in a crash.</a>
<li><a href="errata30.html#sshd">November 12, 2001:
	A security hole that may allow an attacker to partially authenticate
	if -- and only if -- the administrator has enabled KerberosV.</a>
</ul>

<p>
<li>
<a name="29"></a>

<h3><font color="#e00000">OpenBSD 2.9 Security Advisories</font></h3>
These are the OpenBSD 2.9 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The 
<a href="stable.html">patch branch</a>. for 2.9 is no longer being maintained,
you should update your machine.


<p>
<ul>
<li><a href="errata29.html#resolver">June 25, 2002:
	A potential buffer overflow in the DNS resolver has been found.</a>
<li><a href="errata29.html#fdalloc2">May 8, 2002:
	A race condition exists that could defeat the kernel's
	protection of fd slots 0-2 for setuid processes.</a>
<li><a href="errata29.html#sudo2">April 25, 2002:
	A bug in sudo may allow an attacker to corrupt the heap.</a>
<li><a href="errata29.html#sshafs">April 22, 2002:
        A local user can gain super-user privileges due to a buffer
        overflow in sshd(8) if AFS has been configured on the system
        or if KerberosTgtPassing or AFSTokenPassing has been enabled
        in the sshd_config file.</a>
<li><a href="errata29.html#mail">April 11, 2002:
	The mail(1) was interpreting tilde escapes even when invoked
	in non-interactive mode.  As mail(1) is called as root from cron,
	this can lead to a local root compromise.</a>
<li><a href="errata29.html#zlib">March 13, 2002:
	A potential double free() exists in the zlib library;
	this is not exploitable on OpenBSD.
	The kernel also contains a copy of zlib; it is not
	currently known if the kernel zlib is exploitable.</a>
<li><a href="errata29.html#openssh">March 8, 2002:
	An off-by-one check in OpenSSH's channel forwarding code
	may allow a local user to gain super-user privileges.</a>
<li><a href="errata29.html#ptrace">January 21, 2002:
	A race condition between the ptrace(2) and execve(2) system calls
	allows an attacker to modify the memory contents of suid/sgid
	processes which could lead to compromise of the super-user account.</a>
<li><a href="errata29.html#sudo">January 17, 2002:
	There is a security hole in sudo(8) that can be exploited
	when the Postfix sendmail replacement is installed that may
	allow an attacker on the local host to gain root privileges.</a>
<li><a href="errata29.html#lpd2">November 28, 2001:
	An attacker can trick a machine running the lpd daemon into
	creating new files in the root directory from a machine with
	remote line printer access.</a>
<li><a href="errata29.html#vi.recover">November 13, 2001:
	The vi.recover script can be abused in such a way as
	to cause arbitrary zero-length files to be removed.</a>
<li><a href="errata29.html#uucp">September 11, 2001:
	A security hole exists in uuxqt(8) that may allow an
	attacker to gain root privileges.</a>
<li><a href="errata29.html#lpd">August 29, 2001:
	A security hole exists in lpd(8) that may allow an
	attacker to gain root privileges if lpd is running.</a>
<li><a href="errata29.html#sendmail2">August 21, 2001:
	A security hole exists in sendmail(8) that may allow an
	attacker on the local host to gain root privileges.</a>
<li><a href="errata29.html#nfs">July 30, 2001:
	A kernel buffer overflow in the NFS code can be used to execute
	arbitrary code by users with mount privileges (only root by
	default).</a>
<li><a href="errata29.html#kernexec">June 15, 2001:
	A race condition in the kernel can lead to local root compromise.</a>
<li><a href="errata29.html#sshcookie">June 12, 2001:
        sshd(8) allows users to delete arbitrary files named "cookies"
        if X11 forwarding is enabled. X11 forwarding is disabled
        by default.</a>
<li><a href="errata29.html#fts">May 30, 2001:
        Programs using the fts routines can be tricked into changing
        into the wrong directory.</a>
<li><a href="errata29.html#sendmail">May 29, 2001:
	Sendmail signal handlers contain unsafe code,
	leading to numerous race conditions.</a>
</ul>

<p>
<li>
<a name="28"></a>

<h3><font color="#e00000">OpenBSD 2.8 Security Advisories</font></h3>
These are the OpenBSD 2.8 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>. The 
<a href="stable.html">patch branch</a>. for 2.8 is no longer being maintained,
you should update your machine.


<p>
<ul>
<li><a href="errata28.html#uucp">September 11, 2001:
	A security hole exists in uuxqt(8) that may allow an
	attacker to gain root privileges.</a>
<li><a href="errata28.html#lpd">August 29, 2001:
	A security hole exists in lpd(8) that may allow an
	attacker to gain root privileges if lpd is running.</a>
<li><a href="errata28.html#sendmail2">August 21, 2001:
	A security hole exists in sendmail(8) that may allow an
	attacker on the local host to gain root privileges.</a>
<li><a href="errata28.html#kernexec">June 15, 2001:
	A race condition in the kernel can lead to local root compromise.</a>
<li><a href="errata28.html#fts">May 30, 2001:
        Programs using the fts routines can be tricked into changing
        into the wrong directory.</a>
<li><a href="errata28.html#sendmail">May 29, 2001:
	Sendmail signal handlers contain unsafe code,
	leading to numerous race conditions.</a>
<li><a href="errata28.html#ipf_frag">Apr 23, 2001:
	IPF contains a serious bug with its handling of fragment caching.</a>
<li><a href="errata28.html#glob_limit">Apr 23, 2001:
	ftpd(8) contains a potential DoS relating to glob(3).</a>
<li><a href="errata28.html#glob">Apr 10, 2001:
	The glob(3) library call contains multiple buffer overflows.</a>
<li><a href="errata28.html#readline">Mar 18, 2001:
	The readline library creates history files with permissive modes based on the user's umask.</a>
<li><a href="errata28.html#ipsec_ah">Mar 2, 2001:
	Insufficient checks in the IPSEC AH IPv4 option handling code can lead to a buffer overrun in the kernel.</a>
<li><a href="errata28.html#userldt">Mar 2, 2001:
	The <b>USER_LDT</b> kernel option allows an attacker to gain access to privileged areas of kernel memory.</a>
<li><a href="errata28.html#sudo">Feb 22, 2001:
	a non-exploitable buffer overflow was fixed in sudo(8).</a>
<li><a href="errata28.html#named">Jan 29, 2001:
	merge named(8) with ISC BIND 4.9.8-REL, which fixes some buffer vulnerabilities.</a>
<li><a href="errata28.html#rnd">Jan 22, 2001:
	rnd(4) did not use all of its input when written to.</a>
<li><a href="errata28.html#xlock">Dec 22, 2000:
	xlock(1)'s authentication was re-done to authenticate via a named pipe. (patch and new xlock binaries included).</a>
<li><a href="errata28.html#procfs">Dec 18, 2000:
	Procfs contains numerous overflows. Procfs is not used by default in OpenBSD. (patch included).</a>
<li><a href="errata28.html#kerberos2">Dec 10, 2000:
	Another problem exists in KerberosIV libraries (patch included).</a>
<li><a href="errata28.html#kerberos">Dec 7, 2000:
	A set of problems in KerberosIV exist (patch included).</a>
<li><a href="errata28.html#ftpd">Dec 4, 2000:
	A single-byte buffer overflow exists in ftpd (patch included).</a>
</ul>

<p>
<li>
<a name="27"></a>

<h3><font color="#e00000">OpenBSD 2.7 Security Advisories</font></h3>
These are the OpenBSD 2.7 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>.  Obviously, all the
OpenBSD 2.6 advisories listed below are fixed in OpenBSD 2.7.

<p>
<ul>
<li><a href="errata27.html#readline">Mar 18, 2001:
	The readline library creates history files with permissive modes based on the user's umask.</a>
<li><a href="errata27.html#sudo">Feb 22, 2001:
	a buffer overflow was fixed in sudo(8).</a>
<li><a href="errata27.html#ftpd">Dec 4, 2000:
	A single-byte buffer overflow exists in ftpd (patch included).</a>
<li><a href="errata27.html#sshforwarding">Nov 10, 2000:
	Hostile servers can force OpenSSH clients to do agent or X11 forwarding.
	(patch included)</a>
<li><a href="errata27.html#xtrans">Oct 26, 2000:
	X11 libraries have 2 potential overflows in xtrans code.
	(patch included)</a>
<li><a href="errata27.html#httpd">Oct 18, 2000:
	Apache mod_rewrite and mod_vhost_alias modules could expose files 
	on the server in certain configurations if used.
	(patch included)</a>
<li><a href="errata27.html#telnetd">Oct 10, 2000:
	The telnet daemon does not strip out the TERMINFO, TERMINFO_DIRS,
	TERMPATH and TERMCAP environment variables as it should.
	(patch included)</a>
<li><a href="errata27.html#format_strings">Oct 6, 2000:
	There are printf-style format string bugs in several privileged
	programs.  (patch included)</a>
<li><a href="errata27.html#curses">Oct 6, 2000:
	libcurses honored terminal descriptions in the $HOME/.terminfo
	directory as well as in the TERMCAP environment variable for
	setuid and setgid applications.
	(patch included)</a>
<li><a href="errata27.html#talkd">Oct 6, 2000:
	A format string vulnerability exists in talkd(8).
	(patch included)</a>
<li><a href="errata27.html#pw_error">Oct 3, 2000:
	A format string vulnerability exists in the pw_error() function of the
	libutil library, yielding localhost root through chpass(1).
	(patch included)</a>
<li><a href="errata27.html#ipsec">Sep 18, 2000:
	Bad ESP/AH packets could cause a crash under certain conditions.
	(patch included)</a>
<li><a href="errata27.html#xlock">Aug 16, 2000:
	A format string vulnerability (localhost root) exists in xlock(1).
	(patch included)</a>
<li><a href="errata27.html#X11_libs">July 14, 2000:
	Various bugs found in X11 libraries have various side effects, almost
	completely denial of service in OpenBSD.
	(patch included)</a>
<li><a href="errata27.html#ftpd">July 5, 2000:
	Just like pretty much all the other unix ftp daemons
	on the planet, ftpd had a remote root hole in it.
	Luckily, ftpd was not enabled by default.
	The problem exists if anonymous ftp is enabled.
	(patch included)</a>
<li><a href="errata27.html#mopd">July 5, 2000:
	Mopd, very rarely used, contained some buffer overflows.
	(patch included)</a>
<li><a href="errata27.html#libedit">June 28, 2000:
	libedit would check for a <b>.editrc</b> file in the current
	directory.  Not known to be a real security issue, but a patch
	is available anyways.
	(patch included)</a>
<li><a href="errata27.html#dhclient">June 24, 2000:
	A serious bug in dhclient(8) could allow strings from a
	malicious dhcp server to be executed in the shell as root.
	(patch included)</a>
<li><a href="errata27.html#isakmpd">June 9, 2000:
	A serious bug in isakmpd(8) policy handling wherein
	policy verification could be completely bypassed in isakmpd.
	(patch included)</a>
<li><a href="errata27.html#uselogin">June 6, 2000:
	The non-default flag UseLogin in <b>/etc/sshd_config</b> is broken,
	should not be used, and results in security problems on
	other operating systems.</a>
<li><a href="errata27.html#bridge">May 26, 2000:
	The bridge(4) <i>learning</i> flag may be bypassed.
	(patch included)</a>
<li><a href="errata27.html#ipf">May 25, 2000:
	Improper use of ipf <i>keep-state</i> rules can result
	in firewall rules being bypassed. (patch included)</a>
	
</ul>

<p>
<li>
<a name="26"></a>

<h3><font color="#e00000">OpenBSD 2.6 Security Advisories</font></h3>
These are the OpenBSD 2.6 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>.  Obviously, all the
OpenBSD 2.5 advisories listed below are fixed in OpenBSD 2.6.

<p>
<ul>
<li><a href="errata26.html#semconfig">May 26, 2000:
	SYSV semaphore support contained an undocumented system call
	which could wedge semaphore-using processes from exiting. (patch included)</a>
<li><a href="errata26.html#ipf">May 25, 2000:
	Improper use of ipf <i>keep-state</i> rules can result
	in firewall rules being bypassed. (patch included)</a>
<li><a href="errata26.html#xlockmore">May 25, 2000: 
	xlockmore has a bug which a localhost attacker can use to gain
	access to the encrypted root password hash (which is normally
	encoded using blowfish</a> (see
	<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&amp;sektion=3">
	crypt(3)</a>)
	(patch included).
<li><a href="errata26.html#procfs">Jan 20, 2000: 
	Systems running with procfs enabled and mounted are
	vulnerable to a very tricky exploit.  procfs is not
	mounted by default.
	(patch included).</a>
<li><a href="errata26.html#sendmail">Dec 4, 1999:
	Sendmail permitted any user to cause an aliases file wrap,
	thus exposing the system to a race where the aliases file
	did not exist.
	(patch included).</a>
<li><a href="errata26.html#poll">Dec 4, 1999:
	Various bugs in poll(2) may cause a kernel crash.</a>
<li><a href="errata26.html#sslUSA">Dec 2, 1999:
	A buffer overflow in the RSAREF code included in the
	USA version of libssl, is possibly exploitable in
	httpd, ssh, or isakmpd, if SSL/RSA features are enabled.
	(patch included).<br></a>
	<strong>Update:</strong> Turns out that this was not exploitable
	in any of the software included in OpenBSD 2.6.
<li><a href="errata26.html#ifmedia">Nov 9, 1999: 
	Any user could change interface media configurations, resulting in
	a localhost denial of service attack.
	(patch included).</a>
</ul>

<p>
<li>
<a name="25"></a>

<h3><font color="#e00000">OpenBSD 2.5 Security Advisories</font></h3>
These are the OpenBSD 2.5 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>.  Obviously, all the
OpenBSD 2.4 advisories listed below are fixed in OpenBSD 2.5.

<p>
<ul>
<li><a href="errata25.html#cron">Aug 30, 1999: 
	In cron(8), make sure argv[] is NULL terminated in the
	fake popen() and run sendmail as the user, not as root.
	(patch included).</a>
<li><a href="errata25.html#miscfs">Aug 12, 1999: The procfs and fdescfs
	filesystems had an overrun in their handling of uio_offset
	in their readdir() routines. (These filesystems are not
	enabled by default). (patch included).</a>
<li><a href="errata25.html#profil">Aug 9, 1999: Stop profiling (see profil(2))
	when we execve() a new process. (patch included).</a>
<li><a href="errata25.html#ipsec_in_use">Aug 6, 1999: Packets that should have
	been handled by IPsec may be transmitted as cleartext.
	PF_KEY SA expirations may leak kernel resources.
	(patch included).</a>
<li><a href="errata25.html#rc">Aug 5, 1999: In /etc/rc, use mktemp(1) for
	motd re-writing and change the find(1) to use -execdir
	(patch included).</a>
<li><a href="errata25.html#chflags">Jul 30, 1999: Do not permit regular
	users to chflags(2) or fchflags(2) on character or block devices
	which they may currently be the owner of (patch included).</a>
<li><a href="errata25.html#nroff">Jul 27, 1999: Cause groff(1) to be invoked
	with the -S flag, when called by nroff(1) (patch included).</a>
</ul>

<p>
<li>
<a name="24"></a>

<h3><font color="#e00000">OpenBSD 2.4 Security Advisories</font></h3>
These are the OpenBSD 2.4 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>.  Obviously, all the
OpenBSD 2.3 advisories listed below are fixed in OpenBSD 2.4.

<p>
<ul>
<li><a href="errata24.html#poll">Mar 22, 1999: The nfds argument for poll(2) needs
	to be constrained, to avoid kvm starvation (patch included).</a>
<li><a href="errata24.html#tss">Mar 21, 1999: A change in TSS handling stops
	another kernel crash case caused by the <strong>crashme</strong>
	program (patch included).</a>
<li><a href="errata24.html#nlink">Feb 25, 1999: An unbounded increment on the
	nlink value in FFS and EXT2FS filesystems can cause a system crash.
	(patch included).</a>
<li><a href="errata24.html#ping">Feb 23, 1999: Yet another buffer overflow
	existed in ping(8). (patch included).</a>
<li><a href="errata24.html#ipqrace">Feb 19, 1999: ipintr() had a race in use of
	the ipq, which could permit an attacker to cause a crash. 
	(patch included).</a>
<li><a href="errata24.html#accept">Feb 17, 1999: A race condition in the
	kernel between accept(2) and select(2) could permit an attacker
	to hang sockets from remote.
	(patch included).</a>
<li><a href="errata24.html#maxqueue">Feb 17, 1999: IP fragment assembly can
	bog the machine excessively and cause problems.
	(patch included).</a>
<li><a href="errata24.html#trctrap">Feb 12, 1999: i386 T_TRCTRAP handling and
	DDB interacted to possibly cause a crash.
	(patch included).</a>
<li><a href="errata24.html#rst">Feb 11, 1999: TCP/IP RST handling was sloppy.
	(patch included).</a>
<li><a href="errata24.html#bootpd">Nov 27, 1998: There is a remotely exploitable
	problem in bootpd(8). (patch included).</a>
<li><a href="errata24.html#termcap">Nov 19, 1998: There is a possibly locally
	exploitable problem relating to environment variables in termcap
	and curses. (patch included).</a>
<li><a href="errata24.html#tcpfix">Nov 13, 1998: There is a remote machine lockup
	bug in the TCP decoding kernel. (patch included).</a>
</ul>

<p>
<li>
<a name="23"></a>

<h3><font color="#e00000">OpenBSD 2.3 Security Advisories</font></h3>
These are the OpenBSD 2.3 advisories -- all these problems are solved 
in <a href="anoncvs.html">OpenBSD current</a>.  Obviously, all the
OpenBSD 2.2 advisories listed below are fixed in OpenBSD 2.3.

<p>
<ul>
<li><a href="errata23.html#bootpd">Nov 27, 1998: There is a remotely exploitable
	problem in bootpd(8). (patch included).</a>
<li><a href="errata23.html#tcpfix">Nov 13, 1998: There is a remote machine lockup
	bug in the TCP decoding kernel. (patch included).</a>
<li><a href="errata23.html#resolver">August 31, 1998: A benign looking resolver
	buffer overflow bug was re-introduced accidentally (patches included).</a>
<li><a href="errata23.html#chpass">Aug 2, 1998:
	chpass(1) has a file descriptor leak which allows an
	attacker to modify /etc/master.passwd.</a>
<li><a href="errata23.html#inetd">July 15, 1998: Inetd had a file descriptor leak.</a>
<li><a href="errata23.html#fdalloc">Jul  2, 1998: setuid and setgid processes
	should not be executed with fd slots 0, 1, or 2 free.
	(patch included).</a>
<li><a href="errata23.html#xlib">June 6, 1998: Further problems with the X
	libraries (patches included).</a>
<li><a href="errata23.html#kill">May 17, 1998: kill(2) of setuid/setgid target
	processes too permissive (4th revision patch included).</a>
<li><a href="errata23.html#immutable">May 11, 1998: mmap() permits partial bypassing
	of immutable and append-only file flags. (patch included).</a>
<li><a href="errata23.html#ipsec">May  5, 1998: Incorrect handling of IPSEC packets
	if IPSEC is enabled (patch included).</a>
<li><a href="errata23.html#xterm-xaw">May  1, 1998: Buffer overflow in xterm and Xaw
	(CERT advisory VB-98.04) (patch included).</a>
</ul>

<p>
<li>
<a name="22"></a>

<h3><font color="#e00000">OpenBSD 2.2 Security Advisories</font></h3>
These are the OpenBSD 2.2 advisories.  All these problems are solved
in <a href="23.html">OpenBSD 2.3</a>.  Some of these problems
still exist in other operating systems.  (The supplied patches are for
OpenBSD 2.2; they may or may not work on OpenBSD 2.1).

<p>
<ul>
<li><a href="errata22.html#ipsec">May  5, 1998: Incorrect handling of IPSEC
	packets if IPSEC is enabled (patch included).</a>
<li><a href="errata22.html#xterm-xaw">May  1, 1998: Buffer overflow in xterm
	and Xaw (CERT advisory VB-98.04) (patch included).</a>
<li><a href="errata22.html#uucpd">Apr 22, 1998: Buffer overflow in uucpd
	(patch included).</a>
<li><a href="errata22.html#rmjob">Apr 22, 1998: Buffer mismanagement in lprm
	(patch included).</a>
<li><a href="errata22.html#ping">Mar 31, 1998: Overflow in ping -R (patch included).</a>
<li><a href="errata22.html#named">Mar 30, 1998: Overflow in named fake-iquery
	(patch included).</a>
<li><a href="errata22.html#mountd">Mar  2, 1998: Accidental NFS filesystem
	export (patch included).</a>
<li><a href="advisories/mmap.txt">Feb 26, 1998: Read-write mmap() flaw.</a>
	Revision 3 of the patch is available <a href="errata22.html#mmap">here</a>
<li><a href="advisories/sourceroute.txt">Feb 19, 1998: Sourcerouted Packet
	Acceptance.</a>
	A patch is available <a href="errata22.html#sourceroute">here</a>.
<li><a href="errata22.html#ruserok">Feb 13, 1998: Setuid coredump &amp; Ruserok()
	flaw (patch included).</a>
<li><a href="errata22.html#ldso">Feb  9, 1998: MIPS ld.so flaw (patch included).</a>
</ul>

<p>
<li>
<a name="21"></a>

<h3><font color="#e00000">OpenBSD 2.1 Security Advisories</font></h3>
These are the OpenBSD 2.1 advisories.  All these problems are solved
in <a href="22.html">OpenBSD 2.2</a>.  Some of these problems still
exist in other operating systems.  (If you are running OpenBSD 2.1, we
would strongly recommend an upgrade to the newest release, as this
patch list only attempts at fixing the most important security
problems.  In particular, OpenBSD 2.2 fixes numerous localhost
security problems.  Many of those problems were solved in ways which
make it hard for us to provide patches).

<p>
<ul>
<li><a href="advisories/signals.txt">Sep 15, 1997: Deviant Signals (patch included)</a>
<li><a href="advisories/rfork.txt">Aug  2, 1997: Rfork() system call flaw
	(patch included)</a>
<li><a href="advisories/procfs.txt">Jun 24, 1997: Procfs flaws (patch included)</a>
</ul>

<p>
<li>
<a name="20"></a>

<h3><font color="#e00000">OpenBSD 2.0 Security Advisories</font></h3>
These are the OpenBSD 2.0 advisories.  All these problems are solved
in <a href="21.html">OpenBSD 2.1</a>.  Some of these problems still
exist in other operating systems.  (If you are running OpenBSD 2.0, we
commend you for being there back in the old days!, but you're really
missing out if you don't install a new version!)

<p>
<ul>
<li><a href="advisories/res_random.txt">April 22, 1997: Predictable IDs in the
	resolver (patch included)</a> 
<li>Many others... if people can hunt them down, please let me know
	and we'll put them up here.
</ul>
<p>

<a name="watching"></a>
<li><h3><font color="#e00000">Watching our Changes</font></h3><p>

Since we take a proactive stance with security, we are continually
finding and fixing new security problems.  Not all of these problems
get widely reported because (as stated earlier) many of them are not
confirmed to be exploitable; many simple bugs we fix do turn out to
have security consequences we could not predict.  We do not have the
time resources to make these changes available in the above format.<p>

Thus there are usually minor security fixes in the current source code
beyond the previous major OpenBSD release.  We make a limited
guarantee that these problems are of minimal impact and unproven
exploitability.  If we discover that a problem definitely matters for
security, patches will show up here <strong>VERY</strong> quickly.<p>

People who are really concerned with security can do a number of
things:<p>

<ul>
<li>If you understand security issues, watch our
	<a href="mail.html">source-changes mailing list</a> and keep an
	eye out for things which appear security related.  Since
	exploitability is not proven for many of the fixes we make,
	do not expect the relevant commit message to say "SECURITY FIX!".
	If a problem is proven and serious, a patch will be available
	here very shortly after.
<li>In addition to source changes, you can watch our <a href="mail.html">
	security-announce mailing list</a> which will notify you for every
	security related item that the OpenBSD team deems as a possible threat,
	and instruct you on how to patch the problem.
<li>Track our current source code tree, and teach yourself how to do a
	complete system build from time to time (read /usr/src/Makefile
	carefully).  Users can make the assumption that the current
	source tree always has stronger security than the previous release.
	However, building your own system from source code is not trivial;
	it is nearly 600MB of source code, and problems do occur as we
	transition between major releases.
<li>Install a binary snapshot for your
	architecture, which are made available fairly often.  For
	instance, an i386 snapshot is typically made available weekly. 
</ul>

<p>
<a name="reporting"></a>
<li><h3><font color="#e00000">Reporting problems</font></h3><p>

<p> If you find a new security problem, you can mail it to
<a href="mailto:deraadt@openbsd.org">deraadt@openbsd.org</a>.
<br>
If you wish to PGP encode it (but please only do so if privacy is very
urgent, since it is inconvenient) use this <a href="advisories/pgpkey.txt">pgp key</a>.

<p>
<a name="papers"></a>
<li><h3><font color="#e00000">Further Reading</font></h3><p>

A number of papers have been written by OpenBSD team members, about security
related changes they have done in OpenBSD.  The postscript versions of these
documents are available as follows.<p>

<ul>
<li>A Future-Adaptable Password Scheme.<br>
    <a href="events.html#usenix99">Usenix 1999</a>,
    by <a href="mailto:provos@openbsd.org">Niels Provos</a>,
    <a href="mailto:dm@openbsd.org">David Mazieres</a>.<br>
    <a href="papers/bcrypt-paper.ps">paper</a> and
    <a href="papers/bcrypt-slides.ps">slides</a>.
<p>
<li>Cryptography in OpenBSD: An Overview.<br>
    <a href="events.html#usenix99">Usenix 1999</a>,
    by <a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>,
    <a href="mailto:niklas@openbsd.org">Niklas Hallqvist</a>,
    <a href="mailto:art@openbsd.org">Artur Grabowski</a>,
    <a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>,
    <a href="mailto:provos@openbsd.org">Niels Provos</a>.<br>
    <a href="papers/crypt-paper.ps">paper</a> and
    <a href="papers/crypt-slides.ps">slides</a>.
<p>
<li>strlcpy and strlcat -- consistent, safe, string copy and concatenation.<br>
    <a href="events.html#usenix99">Usenix 1999</a>,
    by <a href="mailto:millert@openbsd.org">Todd C. Miller</a>,
    <a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>.<br>
    <a href="papers/strlcpy-paper.ps">paper</a> and
    <a href="papers/strlcpy-slides.ps">slides</a>.
<p>
<li>Dealing with Public Ethernet Jacks-Switches, Gateways, and Authentication.<br>
    <a href="events.html#lisa99">LISA 1999</a>,
    by <a href="mailto:beck@openbsd.org">Bob Beck</a>.<br>
    <a href="papers/authgw-paper.ps">paper</a> and
    <a href="papers/authgw-slides.ps">slides</a>.
<p>
<li>Encrypting Virtual Memory<br>
    <a href="events.html#sec2000">Usenix Security 2000</a>,
    <a href="mailto:provos@openbsd.org">Niels Provos</a>.<br>
    <a href="papers/swapencrypt.ps">paper</a> and
    <a href="papers/swapencrypt-slides.ps">slides</a>.
<p>
</ul>
</ul>

<hr>
<a href="index.html"><img height=24 width=24 src="back.gif" border=0 alt="OpenBSD"></a>
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br>
<small>$OpenBSD: security.html,v 1.362 2008/07/23 18:31:35 brad Exp $</small>

</body>
</html>
